@chrysb/alphaclaw 0.9.13 → 0.9.15

package/lib/public/js/components/agents-tab/agent-identity-section.js

@@ -116,7 +116,7 @@ export const AgentIdentitySection = ({
                   value=${form.emoji}
                   onInput=${(event) => updateField("emoji", event.target.value)}
                   class="w-full bg-field border border-border rounded-lg px-3 py-2 text-sm text-body outline-none focus:border-fg-muted"
-                  placeholder="Optional emoji"
+                  placeholder="Single emoji, e.g. ✨"
                 />
               </label>
               <label class="block space-y-1">

package/lib/public/js/components/general/use-general-tab.js

@@ -218,15 +218,27 @@ export const useGeneralTab = ({
   };
 
   const handleDeviceApprove = async (id) => {
-    await approveDevice(id);
-    setTimeout(devicePoll.refresh, 500);
-    setTimeout(devicePoll.refresh, 2000);
+    try {
+      await approveDevice(id);
+      showToast("Device pairing approved", "success");
+      setTimeout(devicePoll.refresh, 500);
+      setTimeout(devicePoll.refresh, 2000);
+    } catch (err) {
+      showToast(err.message || "Could not approve device pairing", "error");
+      throw err;
+    }
   };
 
   const handleDeviceReject = async (id) => {
-    await rejectDevice(id);
-    setTimeout(devicePoll.refresh, 500);
-    setTimeout(devicePoll.refresh, 2000);
+    try {
+      await rejectDevice(id);
+      showToast("Device pairing rejected", "info");
+      setTimeout(devicePoll.refresh, 500);
+      setTimeout(devicePoll.refresh, 2000);
+    } catch (err) {
+      showToast(err.message || "Could not reject device pairing", "error");
+      throw err;
+    }
   };
 
   const handleWatchdogRepair = async () => {
@@ -252,10 +264,15 @@ export const useGeneralTab = ({
     setDashboardLoading(true);
     try {
       const data = await fetchDashboardUrl();
-      console.log("[dashboard] response:", JSON.stringify(data));
+      if (data.needsAuth) {
+        showToast(
+          "OpenClaw dashboard token is missing from the AlphaClaw server environment",
+          "warning",
+        );
+      }
       window.open(data.url || "/openclaw", "_blank");
     } catch (err) {
-      console.error("[dashboard] error:", err);
+      showToast(err.message || "Could not open OpenClaw dashboard", "error");
       window.open("/openclaw", "_blank");
     } finally {
       setDashboardLoading(false);

package/lib/public/js/components/modal-shell.js

@@ -46,9 +46,6 @@ export const ModalShell = ({
         onpointercancel=${() => {
           overlayPointerDownRef.current = false;
         }}
-        onclick=${(event) => {
-          event.preventDefault();
-        }}
       >
         <div class=${panelClassName}>${children}</div>
       </div>

package/lib/public/js/components/sidebar.js

@@ -33,6 +33,7 @@ import {
   getSessionDisplayLabel,
   getSessionRowKey,
 } from "../lib/session-keys.js";
+import { sanitizeAgentEmoji } from "../lib/agent-identity.js";
 import { ThemeToggle } from "./theme-toggle.js";
 
 const html = htm.bind(h);
@@ -91,7 +92,7 @@ const renderNavItem = ({ item, selectedNavId, onSelectNavItem }) => {
   `;
 };
 
-const getAgentIdentityEmoji = (agent) => String(agent?.identity?.emoji || "").trim();
+const getAgentIdentityEmoji = (agent) => sanitizeAgentEmoji(agent?.identity?.emoji);
 
 export const AppSidebar = ({
   mobileSidebarOpen = false,

package/lib/public/js/lib/agent-identity.js

@@ -0,0 +1,8 @@
+const kNonEmojiPattern = /[A-Za-z0-9:]/;
+
+export const sanitizeAgentEmoji = (rawEmoji) => {
+  const trimmed = String(rawEmoji ?? "").trim();
+  if (!trimmed) return "";
+  if (kNonEmojiPattern.test(trimmed)) return "";
+  return trimmed;
+};

package/lib/public/js/lib/api.js

@@ -466,7 +466,7 @@ export async function updateWatchdogSettings(settings) {
 
 export async function fetchDashboardUrl() {
   const res = await authFetch("/api/gateway/dashboard");
-  return res.json();
+  return parseJsonOrThrow(res, "Could not load dashboard URL");
 }
 
 export async function fetchAlphaclawVersion(refresh = false) {
@@ -682,13 +682,15 @@ export async function fetchDevicePairings() {
 }
 
 export async function approveDevice(id) {
-  const res = await authFetch(`/api/devices/${id}/approve`, { method: "POST" });
-  return res.json();
+  const safeId = encodeURIComponent(String(id || ""));
+  const res = await authFetch(`/api/devices/${safeId}/approve`, { method: "POST" });
+  return parseJsonOrThrow(res, "Could not approve device");
 }
 
 export async function rejectDevice(id) {
-  const res = await authFetch(`/api/devices/${id}/reject`, { method: "POST" });
-  return res.json();
+  const safeId = encodeURIComponent(String(id || ""));
+  const res = await authFetch(`/api/devices/${safeId}/reject`, { method: "POST" });
+  return parseJsonOrThrow(res, "Could not reject device");
 }
 
 export const fetchNodesStatus = async () => {

package/lib/server/routes/pairings.js

@@ -10,8 +10,88 @@ const kAllowedPairingChannels = new Set(["telegram", "discord", "slack", "whatsa
 const kSafePairingArgPattern = /^[\w\-:.]+$/;
 const kDevicesListCliTimeoutMs = 5000;
 const kPairingRequestTtlMs = 60 * 60 * 1000;
+const kDeviceApprovalCallerScopes = [
+  "operator.admin",
+  "operator.read",
+  "operator.write",
+  "operator.approvals",
+  "operator.pairing",
+  "operator.talk.secrets",
+];
 const quoteCliArg = (value) => quoteShellArg(value, { strategy: "single" });
 
+let deviceBootstrapModulePromise = null;
+
+const loadDeviceBootstrapModule = async () => {
+  deviceBootstrapModulePromise ||= import("openclaw/plugin-sdk/device-bootstrap");
+  return deviceBootstrapModulePromise;
+};
+
+const defaultApproveDevicePairingDirect = async (requestId, options, baseDir) => {
+  const mod = await loadDeviceBootstrapModule();
+  if (typeof mod.approveDevicePairing !== "function") {
+    throw new Error("OpenClaw device approval helper is unavailable");
+  }
+  return mod.approveDevicePairing(requestId, options, baseDir);
+};
+
+const formatDevicePairingForbiddenMessage = (result) => {
+  switch (result?.reason) {
+    case "caller-scopes-required":
+      return `missing scope: ${result.scope || "callerScopes-required"}`;
+    case "caller-missing-scope":
+      return `missing scope: ${result.scope || "unknown"}`;
+    case "scope-outside-requested-roles":
+      return `invalid scope for requested roles: ${result.scope || "unknown"}`;
+    case "bootstrap-role-not-allowed":
+      return `bootstrap profile does not allow role: ${result.role || "unknown"}`;
+    case "bootstrap-scope-not-allowed":
+      return `bootstrap profile does not allow scope: ${result.scope || "unknown"}`;
+    default:
+      return "Device pairing approval forbidden";
+  }
+};
+
+const redactApprovedDevice = (device) => {
+  if (!device || typeof device !== "object") return null;
+  const safeDevice = { ...device };
+  delete safeDevice.publicKey;
+  delete safeDevice.tokens;
+  return safeDevice;
+};
+
+const normalizeDeviceApprovalResult = (approval, requestId) => {
+  if (approval?.status === "approved") {
+    return {
+      ok: true,
+      requestId: approval.requestId || requestId,
+      device: redactApprovedDevice(approval.device),
+    };
+  }
+  if (approval?.status === "forbidden") {
+    return {
+      ok: false,
+      statusCode: 403,
+      error: formatDevicePairingForbiddenMessage(approval),
+    };
+  }
+  return {
+    ok: false,
+    statusCode: 404,
+    error: "Device pairing request not found",
+  };
+};
+
+const toHttpDeviceApprovalPayload = (result) => {
+  const { statusCode, ...payload } = result || {};
+  return payload;
+};
+
+const isValidDeviceRequestId = (value) => {
+  const requestId = String(value || "").trim();
+  return Boolean(requestId && kSafePairingArgPattern.test(requestId));
+};
+
 const resolvePairingStorePath = ({ openclawDir, channel }) =>
   path.join(openclawDir, "credentials", `${String(channel).trim().toLowerCase()}-pairing.json`);
 
@@ -136,7 +216,14 @@ const removeAccountRequestsFromPairingStore = ({ fsModule, openclawDir, channel,
   }
 };
 
-const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openclawDir = OPENCLAW_DIR }) => {
+const registerPairingRoutes = ({
+  app,
+  clawCmd,
+  isOnboarded,
+  fsModule = fs,
+  openclawDir = OPENCLAW_DIR,
+  approveDevicePairingDirect = defaultApproveDevicePairingDirect,
+}) => {
   let pairingCache = { pending: [], ts: 0, ttlMs: 0 };
   const kPairingCacheTtlMs = 10000;
   const kEmptyPairingCacheTtlMs = 1000;
@@ -157,6 +244,23 @@ const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openc
     );
   };
 
+  const approveDeviceRequestWithAdminScope = async (requestId) => {
+    try {
+      const approval = await approveDevicePairingDirect(
+        requestId,
+        { callerScopes: kDeviceApprovalCallerScopes },
+        openclawDir,
+      );
+      return normalizeDeviceApprovalResult(approval, requestId);
+    } catch (error) {
+      return {
+        ok: false,
+        statusCode: 500,
+        error: error?.message || "Could not approve device pairing",
+      };
+    }
+  };
+
   const parsePendingPairings = (stdout, channel) => {
     const parsed = parseJsonObjectFromNoisyOutput(stdout) || {};
     const requestLists = [
@@ -320,15 +424,13 @@ const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openc
         const firstCliPendingId = firstCliPending?.requestId || firstCliPending?.id;
         if (firstCliPendingId) {
           console.log(`[alphaclaw] Auto-approving first CLI device request: ${firstCliPendingId}`);
-          const approveResult = await clawCmd(`devices approve ${firstCliPendingId}`, {
-            quiet: true,
-          });
+          const approveResult = await approveDeviceRequestWithAdminScope(firstCliPendingId);
           if (approveResult.ok) {
             writeCliAutoApproveMarker();
             autoApprovedRequestId = String(firstCliPendingId);
           } else {
             console.log(
-              `[alphaclaw] CLI auto-approve failed: ${(approveResult.stderr || "").slice(0, 200)}`,
+              `[alphaclaw] CLI auto-approve failed: ${(approveResult.error || "").slice(0, 200)}`,
             );
           }
         }
@@ -353,13 +455,23 @@ const registerPairingRoutes = ({ app, clawCmd, isOnboarded, fsModule = fs, openc
   });
 
   app.post("/api/devices/:id/approve", async (req, res) => {
-    const result = await clawCmd(`devices approve ${req.params.id}`);
+    const requestId = String(req.params.id || "").trim();
+    if (!isValidDeviceRequestId(requestId)) {
+      return res.status(400).json({ ok: false, error: "Invalid device request id" });
+    }
+    const result = await approveDeviceRequestWithAdminScope(requestId);
     devicePairingCache.ts = 0;
-    res.json(result);
+    res
+      .status(result.ok ? 200 : result.statusCode || 500)
+      .json(toHttpDeviceApprovalPayload(result));
   });
 
   app.post("/api/devices/:id/reject", async (req, res) => {
-    const result = await clawCmd(`devices reject ${req.params.id}`);
+    const requestId = String(req.params.id || "").trim();
+    if (!isValidDeviceRequestId(requestId)) {
+      return res.status(400).json({ ok: false, error: "Invalid device request id" });
+    }
+    const result = await clawCmd(`devices reject ${quoteCliArg(requestId)}`);
     devicePairingCache.ts = 0;
     res.json(result);
   });

package/lib/server/routes/system.js

@@ -28,6 +28,7 @@ const registerSystemRoutes = ({
   doctorService,
 }) => {
   let envRestartPending = false;
+  let openclawSecretRuntimePromise = null;
   const kManagedChannelTokenPattern =
     /^(?:TELEGRAM_BOT_TOKEN|DISCORD_BOT_TOKEN|SLACK_BOT_TOKEN|SLACK_APP_TOKEN)(?:_[A-Z0-9_]+)?$/;
   const kEnvVarsReservedForUserInput = new Set([
@@ -92,6 +93,97 @@ const registerSystemRoutes = ({
     }
     return null;
   };
+  const getEnvFileValue = (key) =>
+    (typeof readEnvFile === "function" ? readEnvFile() : []).find(
+      (entry) => entry?.key === key,
+    )?.value;
+  const normalizeSecretValue = (value) => {
+    if (typeof value !== "string") return "";
+    const trimmed = String(value || "").trim();
+    if (trimmed.length >= 2) {
+      const first = trimmed[0];
+      const last = trimmed[trimmed.length - 1];
+      if ((first === '"' && last === '"') || (first === "'" && last === "'")) {
+        return trimmed.slice(1, -1).trim();
+      }
+    }
+    return trimmed;
+  };
+  const getEnvObject = () => {
+    const env = { ...process.env };
+    for (const entry of typeof readEnvFile === "function" ? readEnvFile() : []) {
+      const key = String(entry?.key || "").trim();
+      if (!key) continue;
+      if (!normalizeSecretValue(env[key])) {
+        env[key] = normalizeSecretValue(entry?.value);
+      }
+    }
+    return env;
+  };
+  const loadOpenclawSecretRuntime = async () => {
+    openclawSecretRuntimePromise ||= Promise.all([
+      import("openclaw/plugin-sdk/secret-input"),
+      import("openclaw/plugin-sdk/runtime-secret-resolution"),
+    ]).then(([secretInput, runtimeSecretResolution]) => ({
+      coerceSecretRef: secretInput.coerceSecretRef,
+      resolveSecretRefValues: runtimeSecretResolution.resolveSecretRefValues,
+    }));
+    return openclawSecretRuntimePromise;
+  };
+  const resolveSecretRefToken = async ({ config, value, env }) => {
+    try {
+      const { coerceSecretRef, resolveSecretRefValues } =
+        await loadOpenclawSecretRuntime();
+      const ref = coerceSecretRef(value, config?.secrets?.defaults);
+      if (!ref) return "";
+      const resolved = await resolveSecretRefValues([ref], { config, env });
+      const refKey = `${ref.source}:${ref.provider}:${ref.id}`;
+      return normalizeSecretValue(resolved.get(refKey));
+    } catch {
+      return "";
+    }
+  };
+  const resolveEnvReference = (value) => {
+    const match = String(value || "").trim().match(/^\$\{([A-Z_][A-Z0-9_]*)\}$/);
+    if (!match) return "";
+    const envKey = match[1];
+    const envValue = process.env[envKey] || getEnvFileValue(envKey);
+    return normalizeSecretValue(envValue);
+  };
+  const getDashboardTokenFromConfig = async () => {
+    const config = readOpenclawConfig({
+      fsModule: fs,
+      openclawDir: OPENCLAW_DIR,
+      fallback: {},
+    });
+    const env = getEnvObject();
+    const configuredToken = config?.gateway?.auth?.token;
+    const resolvedSecretRefToken = await resolveSecretRefToken({
+      config,
+      value: configuredToken,
+      env,
+    });
+    if (resolvedSecretRefToken) return resolvedSecretRefToken;
+    if (typeof configuredToken === "string" && configuredToken.trim()) {
+      const trimmedToken = normalizeSecretValue(configuredToken);
+      if (/^\$\{[A-Z_][A-Z0-9_]*\}$/.test(trimmedToken)) {
+        return resolveEnvReference(trimmedToken);
+      }
+      return trimmedToken;
+    }
+    return normalizeSecretValue(env.OPENCLAW_GATEWAY_TOKEN);
+  };
+  const buildDashboardUrl = (token) =>
+    token ? `/openclaw/#token=${encodeURIComponent(token)}` : "/openclaw";
+  const extractDashboardTokenFromOutput = (stdout) => {
+    const tokenMatch = String(stdout || "").match(/[#?&]token=([^\s&#]+)/);
+    if (!tokenMatch) return "";
+    try {
+      return decodeURIComponent(tokenMatch[1]);
+    } catch {
+      return tokenMatch[1];
+    }
+  };
   const getRawSessionKey = (sessionRow = {}) =>
     String(sessionRow?.key || sessionRow?.sessionKey || sessionRow?.id || "").trim();
   const getRawSessionsFromPayload = (payload) => {
@@ -692,14 +784,22 @@ const registerSystemRoutes = ({
 
   app.get("/api/gateway/dashboard", async (req, res) => {
     if (!isOnboarded()) return res.json({ ok: false, url: "/openclaw" });
+    const token = await getDashboardTokenFromConfig();
+    if (token) {
+      return res.json({
+        ok: true,
+        url: buildDashboardUrl(token),
+        source: "config",
+      });
+    }
     const result = await clawCmd("dashboard --no-open");
     if (result.ok && result.stdout) {
-      const tokenMatch = result.stdout.match(/#token=([a-zA-Z0-9]+)/);
-      if (tokenMatch) {
-        return res.json({ ok: true, url: `/openclaw/#token=${tokenMatch[1]}` });
+      const cliToken = extractDashboardTokenFromOutput(result.stdout);
+      if (cliToken) {
+        return res.json({ ok: true, url: buildDashboardUrl(cliToken) });
       }
     }
-    res.json({ ok: true, url: "/openclaw" });
+    res.json({ ok: true, url: "/openclaw", needsAuth: true });
   });
 
   app.get("/api/restart-status", async (req, res) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrysb/alphaclaw",
-  "version": "0.9.13",
+  "version": "0.9.15",
   "publishConfig": {
     "access": "public"
   },
@@ -33,7 +33,7 @@
   "dependencies": {
     "express": "^4.21.0",
     "http-proxy": "^1.18.1",
-    "openclaw": "2026.5.2",
+    "openclaw": "2026.5.6",
     "ws": "^8.19.0"
   },
   "devDependencies": {